Full Report
BRICKSTORM is a Go backdoor (with SOCKS proxying) deployed preferentially on Linux/BSD network and edge appliances that often lack EDR coverage. Attackers favor devices like VMware vCenter/ESXi as pivot points, using valid credentials harvested from appliances to move laterall...
Analysis Summary
# Threat Actor: UNC5221 (Associated with BRICKSTORM)
## Attribution & Identity
* **Identification:** UNC5221
* **Aliases:** None explicitly mentioned in the context provided.
* **Known Associations:** Associated with the deployment of the BRICKSTORM espionage backdoor.
## Activity Summary
BRICKSTORM has been deployed in an espionage campaign primarily targeting the U.S. Tech and Legal sectors. The activity involves targeting network and edge appliances, leveraging these systems as pivot points to gain access to sensitive data. Observed activity indicates active development of the malware, including obfuscation techniques and sophisticated C2 strategies.
## Tactics, Techniques & Procedures
* **Initial Access:** Unknown.
* **Privilege Escalation/Credential Access:** Utilizes BRICKSTEAL (an in-memory Tomcat Servlet Filter) to hook vCenter SSO URIs and capture credentials.
* **Lateral Movement:** Uses harvested valid credentials from targeted appliances to move laterally within the network.
* **Persistence:** Modifies startup paths (`init.d`, `rc.local`, or `systemd`) to ensure persistence.
* **Exfiltration:** Clones sensitive Windows VMs (e.g., Domain Controllers, Identity Providers, vaults) from vCenter without booting them to exfiltrate files, subsequently removing artifacts. For email collection, they leverage Entra ID enterprise applications with `mail.read` / `full_access_as_app` scopes.
* **C2:** Employs DNS-over-HTTPS (DoH) for command and control resolution.
* **Obfuscation:** Uses Garble obfuscation and deploys the backdoor to camouflage itself with host processes.
## Targeting
* **Sectors:** U.S. Tech Sector, U.S. Legal Sector.
* **Geography:** United States (U.S.).
* **Victims:** Organizations utilizing VMware vCenter and ESXi servers.
## Tools & Infrastructure
* **Malware Families:**
* **BRICKSTORM:** A Go backdoor featuring SOCKS proxying capabilities.
* **BRICKSTEAL:** Used for credential access via vCenter SSO hooking.
* **SLAYSTYLE:** A JSP web shell.
* **Infrastructure:** Hosting the backdoor via Cloudflare Workers and Heroku. C2 domains are not reused across victims. Access to Entra ID features is leveraged via commercial VPNs and an obfuscation network.
## Implications
This threat actor demonstrates a high level of sophistication, focusing on low-visibility Linux/BSD edge infrastructure (like vCenter/ESXi) that typically bypasses traditional Windows-centric EDR solutions. Their objective appears to be long-term espionage and data exfiltration, specifically targeting high-value assets like identity infrastructure and virtual machines.
## Mitigations
* Implement strict monitoring and behavioral analysis on Linux/BSD network and edge appliances (including ESXi/vCenter) due to the lack of standard EDR coverage there.
* Review and secure configurations for VMware vCenter/ESXi servers, aggressively auditing for unexpected VM cloning operations.
* Audit and restrict the privileges granted via Entra ID enterprise applications, especially those granted mail read scopes across the organization.
* Monitor for suspicious persistence mechanisms in standard startup directories (`init.d`, `rc.local`, `systemd`).
* Implement robust credential protection specifically around vCenter SSO endpoints.